Welcome back. In this lesson, I'm going to start with an introduction to sensitive data exposure problems. Specifically, we're going to talk about what sensitive data exposure problems are. Then I'm going to give an introduction, to some general strategies for preventing sensitive data exposure. Thinking back to the example I described in the last lesson, the reason why sensitive data exposure issues come about in applications, is because there tends not to be enough protection for the particularly sensitive data, that the web application is either transmitting or storing. For example, this would come about when the web application uses weak cryptography in order to store sensitive data. For example, like passwords. However, there is a technique that we're going to talk about when storing password related data. At the end of this lesson, you'll be able to discuss sensitive data exposure issues and formulate methods for preventing sensitive data exposure. Let's dive in. The reason why sensitive data exposure issues come about in applications is because, there tends not to be enough protection for the particularly sensitive data that the web application is either transmitting or storing. For example, this would come about when the web application uses weak cryptography in order to store sensitive data. However, there is a technique that we're going to talk about when storing password related information, which we're going to get into in the later module. The specific issues that we're going to discuss in Module 4, are the following. The first issue is, using Personally Identifiable Information, to basically create the session ID. The second issue is, when the web application is not encrypting sensitive information using standards. Another issue is improperly storing passwords. The specific technique that we're going to talk about in the lab, will show you a good way of handling this for your web applications. The last issue that we're going to discuss in Module 4, is using HTTP for sensitive client-server exchanges, instead of the more secure HTTPS. Given the information that we just discussed, with some of the issues that come about with some of the sensitive data exposure problems in web applications. Here are some general strategies for preventing these issues. This is a general strategy list that comes from OWASP. The first strategy that you can use, and this is basically the fundamental strategy that you would want to employ when you're trying to protect sensitive data usage in your web application, is to know the types of data that you'll be transmitting or storing, and what levels of sensitivity those kinds of data have. Once you know this information, then you know how to build a security requirements list for your web application, such that you have a plan, or you can generate a plan to handle them safely. Which leads us to the second general strategy, is to basically build into your software requirements. The security requirements for handling the sensitive data, that you are going to be using in your web application. Another general strategy is to pay attention to how the kinds of data can be cached, and where and know how to disable caching of your sensitive data. For example, your sensitive data that your web application handles could be cached at a proxy, or it could be cached on the browser side. So understanding where these points are will help you to generate strategies in order to then go about handling caching of the sensitive data that you'll be handling. Another general strategy, is to know how to use cryptography even in a basic sense and to understand what the minimum current requirements or current standards are. Again, I highly recommend the book called Cryptography Engineering by Schneier, Ferguson and Kohno. This is a book that I mentioned in Module 1. The last general strategy that you can use is, to not store sensitive data unless you really need to do it. For example, you want to ask yourself, do I really need to store this credit card information? Or if you do, are there standards out there that can help me to handle credit card information correctly? So for example, a standard way to handle credit card information. If you need to store it, is to perform PCI DSS tokenization which I will give you a link to in a later slide. In summary, we briefly talked about what sensitive data exposure problems are, and we then talked about some of the general strategies that you can use in order to prevent sensitive data exposure issues in your web application. That's all for now. Thanks for listening.